Business Associate Agreement (BAA) Breach Notification Clause: HIPAA Requirements and Sample Language

HIPAA Breach Notification Rule

Purpose and scope

The Breach Notification Rule requires prompt notice after a breach of Unsecured PHI. If you are a business associate, you must notify the covered entity; if you are a covered entity, you must notify affected individuals, the Secretary of Health and Human Services, and in some cases the media. These Covered Entity Obligations activate only when Protected Health Information is compromised.

Key concepts and Breach Notification Thresholds

• Protected Health Information (PHI): Individually identifiable health data in any form that relates to health status, care, or payment.
• Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, unencrypted data).
• Breach Notification Thresholds: Fewer than 500 affected individuals require year-end reporting to the Secretary; 500 or more in a single state or jurisdiction require media notice and prompt reporting to the Secretary.

Risk Assessment Requirements

Before concluding that notice is required, you must perform a documented four-factor risk assessment to determine whether there is a low probability that PHI has been compromised. Consider: the nature and extent of PHI involved; the unauthorized person who used or received it; whether the PHI was actually acquired or viewed; and the extent to which the risk has been mitigated. Unless this analysis shows low probability, a breach is presumed and notifications are required.

Definition of Breach

A breach is an impermissible use or disclosure of Unsecured PHI that compromises its privacy or security. The event is treated as “discovered” on the first day you knew or should reasonably have known of it, and knowledge by any workforce member or agent is imputed to the organization. Discovery starts the Breach Discovery Timeline that drives all notification deadlines.

Exceptions to Breach Definition

• Unintentional access or use by a workforce member acting in good faith, within scope of authority, with no further improper use or disclosure.
• Inadvertent disclosure from one authorized person to another within the same covered entity, business associate, or organized health care arrangement, with no further improper use or disclosure.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information (for example, mailed to wrong address but returned unopened).

If an exception applies, the incident is not a breach and notification is not required; still, document your analysis.

Business Associate's Notification Obligation

Trigger and timing

Upon discovery of a breach of Unsecured PHI, the business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Your BAA may impose a shorter period (often 5–15 days) to ensure the covered entity can meet its own deadlines.

Method and recipient

Provide written notice to the covered entity’s designated contact (for example, Privacy Officer or security incident mailbox). If your assessment is ongoing, send an initial notice with available facts and follow up promptly as new details emerge.

Subcontractors

You must require subcontractors to report incidents to you, and you remain responsible for notifying the covered entity. Flow these terms down in all downstream agreements handling PHI.

Content of Notification

From business associate to covered entity

• A brief description of what happened, including the date of the breach and the date of discovery.
• The types of PHI involved (for example, names, addresses, Social Security numbers, diagnoses, treatment data, account information).
• The number of individuals affected and identification of each affected individual, if known.
• Any steps individuals should take to protect themselves from potential harm.
• What you have done to investigate, mitigate harm, and prevent further incidents.
• Contact information for questions (toll-free number, email, or postal address).
• Any known Breach Notification Thresholds potentially triggered (for example, 500+ in one state).

From covered entity to individuals

The covered entity’s notice must clearly describe what happened, what information was involved, steps individuals should take, what the entity is doing to investigate and mitigate, and how to get more information. Write plainly and tailor guidance to the specific risks.

Covered Entity's Notification Duties

Notification to individuals

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Use first-class mail or email if the individual agreed to electronic notice. If contact information is insufficient for 10 or more people, provide substitute notice via a 90‑day web posting or major media in areas where they likely reside, plus a toll-free number.

Notification to the media

If a breach involves 500 or more residents of a single state or jurisdiction, provide a media notice to prominent outlets without unreasonable delay and no later than 60 calendar days. This is in addition to individual notices.

Notification to the Secretary of Health and Human Services

• 500 or more individuals: Report to the Secretary without unreasonable delay and no later than 60 calendar days after discovery.
• Fewer than 500 individuals: Log the breach and submit the log to the Secretary no later than 60 days after the end of the calendar year in which the breaches were discovered.

Law enforcement delay

If a law enforcement official states that notice would impede a criminal investigation or cause damage to national security, delay notifications for the period specified by the official. If the request is oral, document it and delay for up to 30 days unless a written request extending the delay is received.

Sample BAA Breach Notification Clause

Model language you can adapt

Breach Notification.

• Definitions. “PHI” means Protected Health Information. “Breach” means an impermissible use or disclosure of Unsecured PHI that compromises its privacy or security, excluding recognized exceptions. “Discovery” occurs when Business Associate first knows or reasonably should know of the Breach.
• Discovery and Timing. Business Associate shall notify Covered Entity of any Breach without unreasonable delay and in no event later than [10] calendar days after Discovery, to enable Covered Entity to meet its own deadlines.
• Form and Recipient. Notice shall be in writing and directed to Covered Entity’s Privacy Officer at the address or email designated in the Agreement. Initial notice may be preliminary; Business Associate will supplement promptly as additional information becomes available.
• Content. The notice shall include: (a) a brief description of what happened, including the date of the Breach and the date of Discovery; (b) the types of PHI involved; (c) the number and, if known, identities of affected individuals; (d) steps individuals should take to protect themselves; (e) a description of what Business Associate is doing to investigate, mitigate harm, and prevent recurrence; and (f) a contact point for questions.
• Subcontractors. Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to these Breach reporting obligations and promptly reports to Business Associate any suspected or actual Breach.
• Mitigation and Cooperation. Business Associate shall mitigate, to the extent practicable, any harmful effects of a Breach and shall cooperate with Covered Entity in drafting individual, media, and Secretary notifications, consistent with applicable Breach Notification Thresholds.
• Law Enforcement Delay. If a law enforcement official advises that notice would impede a criminal investigation or cause damage to national security, Business Associate may delay notice for the period specified, documenting the request and the official’s identity.
• Documentation. Business Associate shall maintain documentation of the Breach, risk assessment, notifications, and mitigation steps for at least [six] years and provide such records to Covered Entity upon request.

Summary

Build your BAA to trigger rapid, well-documented reporting from the business associate, capture all details needed for timely individual notice, and account for thresholds that require media and Secretary notifications. Clear timelines, defined roles, and risk assessment checkpoints keep your Breach Discovery Timeline on track and reduce downstream risk.

FAQs.

What triggers a breach notification under HIPAA?

Notification is triggered when there is an impermissible use or disclosure of Unsecured PHI that, after applying the Risk Assessment Requirements, is not shown to have a low probability of compromise. Because a breach is presumed, you must notify unless your assessment supports a low-probability finding.

How soon must a business associate notify of a breach?

The Rule requires notice to the covered entity without unreasonable delay and no later than 60 calendar days after discovery. Many BAAs tighten this to 5–15 days so the covered entity can meet its own 60‑day deadline. Always follow the shorter period in your contract.

What information must be included in a breach notification?

Include what happened (with breach and discovery dates), the types of PHI involved, how many and which individuals were affected, steps individuals should take, actions taken to investigate and mitigate, and a contact method for questions. Provide enough detail for the covered entity to satisfy all Covered Entity Obligations.

When is media notification required for a breach?

Media notice is required when a breach involves 500 or more residents of a single state or jurisdiction. In those cases, the covered entity must also notify the Secretary of Health and Human Services without unreasonable delay and within 60 days, in addition to notifying affected individuals.